b"                      AUDIT REPORT\n                         13-05\n\n\n\n\nAudit of Computer Security: GPO\xe2\x80\x99s Risk Acceptance Process for\n            Major Legacy and Minor Applications\n\n                    February 13, 2013\n\x0cDate\nFebruary 13, 2013\nTo\nChief Information Officer\nFrom\nInspector General\nSubject\nAudit of Computer Security: GPO\xe2\x80\x99s Risk Acceptance Process for Major Legacy and\nMinor Applications\nReport Number 13-05\n\nEnclosed please find the subject final report. Please refer to the \xe2\x80\x9cResults in Brief\xe2\x80\x9d for\nthe overall audit results. Our evaluation of your response has been incorporated\ninto the body of the report and the response is included in its entirety at\nAppendix B. Management either concurred or partially concurred with the\nrecommendations. Partial concurrence was based on budgetary limitations. We\nconsider management\xe2\x80\x99s comments responsive in all material aspects to the\nrecommendations. The recommendations are resolved and will remain open\npending our verification of the completion of the agreed upon actions.\n\nWe appreciate the courtesies extended to the audit staff. If you have any questions\nor comments about this report, please do not hesitate to contact me at\n(202) 512-0039.\n\n\n\n\nMICHAEL A. RAPONI\nInspector General\n\nAttachment\ncc:\nActing Public Printer\nAssistant Public Printer, Operations\nGeneral Counsel\n\x0cContents\n\nIntroduction .................................................................................................................................................. 1\n\nResults in Brief ............................................................................................................................................. 3\n\nBackground .................................................................................................................................................. 5\n\nResults and Recommendations ............................................................................................................ 7\n\nAppendix A \xe2\x80\x93 Objectives, Scope, and Methodology ...................................................................... 16\n\nAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Response ............................................................................................. 18\n\nAppendix C - Status of Recommendations ....................................................................................... 21\n\nAppendix D - Report Distribution........................................................................................................ 22\n\nMajor Contributors.................................................................................................................................... 23\n\x0c                          Office of Inspector General\n\nReport Number 13- 05                                      February 13, 2013\n\n  Audit of Computer Security: GPO\xe2\x80\x99s Risk Acceptance Process for\n              Major Legacy and Minor Applications\n\nIntroduction\n\nIn September 2012, Information Technology & Security (IT&S) requested the Acting\nPublic Printer accept the security risk for eight of its 16 major legacy applications.\nIT&S reported that none of 16 applications have completed a Certification and\nAccreditation (C&A). IT&S reported many of the eight major applications\nrecommended for potential risk acceptance have been in operation for more than 20\nyears without any known IT security incident or fraudulent usage incident. For the\nremaining major legacy applications, GPO would allocate adequate resources for\nbringing those eight applications into full compliance with security requirements.\n\nThe eight major legacy applications support both GPO\xe2\x80\x99s print procurement\nprograms and print production operations. GPO's print procurement programs\nprovide comprehensive print procurement services to the entire federal\ngovernment. The print procurement process utilizes predominately manual\nprocesses with information organized in a now aging computer mainframe\nenvironment. GPO's print production operations are configured primarily to meet\nthe basic needs of Congress. GPO produces the daily and permanent editions \xe2\x80\x94 in\nboth online and print formats \xe2\x80\x94 of the Congressional Record, bills, resolutions,\namendments, hearings, committee reports, committee prints, documents,\nstationery, and a wide variety of other products. GPO is in the process of increasing\nefficiencies within the print procurement process and Plant Operations and is\nplanning to reduce its reliance on existing mainframe technology.\n\nThe Acting Public Printer requested the OIG provide input into the risk acceptance\nrequest.\n\nIT&S has primary responsibility for information technology (IT) security policy and\nsecurity controls that protect the confidentiality, integrity, and availability of IT\nsystems and data. IT&S conducts C&As. A C&A requires assessing risk, planning\nsecurity, testing of minimum security controls, creating plans of actions for\nidentified weaknesses, and mitigating risks. An authorizing officer within IT&S\nreviews the results of the certification and accredits the system when determining\nthat the system\xe2\x80\x99s operation poses minimal security risk. GPO has 25 major\napplications and 206 minor applications. IT&S classified 16 of the 25 as major\nlegacy applications. Fourteen of the 16 major legacy applications operate in a\nmainframe environment.\n\n\n                                          1\n\x0cOffice of Management and Budget (OMB) Circular No. A-130, Management of\nFederal Information Resources, Revised, December 2000, defines a major\ninformation system as an information system requiring special management\nattention because of its importance to the mission of an agency; its high\ndevelopment, operating, or maintenance costs; or its significant role in\nadministering agency programs, finances, property, or other resources. Major\napplications are by definition major information systems. According to National\nInstitute of Standards and Technology (NIST) Federal Information Processing\nStandards (FIPS) Publication 199, \xe2\x80\x9cStandards for Security Categorization of Federal\nInformation and Information Systems,\xe2\x80\x9d February 2004, a major application is\nexpected to have a risk impact level of either moderate or high.\n\nNIST Special Publication 800-37, \xe2\x80\x9cGuide for Applying the Risk Management\nFramework to Federal Information Systems,\xe2\x80\x9d February 2010, defines a minor\napplication as any application not a major application and requiring attention to\nsecurity based on the risk and magnitude of harm resulting from the loss, misuse, or\nunauthorized access to or modification of information in the application. Minor\napplications are typically included as part of a general support system. Specific\nsystem security plans for minor applications are not required because the security\ncontrols for those applications are typically provided by the general support system\nor major application in which they operate. Minor applications are expected to have\na risk impact level of either low or moderate.\n\nWe conducted this audit to answer the following question: \xe2\x80\x9cWhat process did GPO\nfollow when accepting risks associated with major legacy and minor applications?\xe2\x80\x9d\n\nTo accomplish our audit objective, we reviewed policies and procedures in place\nfrom September to December 2012. We reviewed risk assessments and risk\nacceptance documentation for the eight major legacy applications IT&S reported in\nSeptember 2012. To gain an understanding of policies, procedures, systems, and\nprocesses related to risk assessment and acceptance relating to IT, we conducted\ninterviews with GPO staff to gain an understanding of applicable processes. We also\ninterviewed key management officials responsible for establishing and monitoring\nthe risk acceptance process; and reviewing and approving the acceptance of risk.\nWe randomly selected four minor applications to confirm GPO\xe2\x80\x99s statement that\nC&A\xe2\x80\x99s and risk assessments were not conducted and we tested for the minor\napplication\xe2\x80\x99s inclusion into umbrella security controls associated with either a\ngeneral support system or major application.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence that provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Our objective, scope, methodology, and criteria are\ndetailed in Appendix A.\n                                          2\n\x0cResults in Brief\n\nGPO told us they considered the configuration of user accounts, stage of the system\nlife cycle, years in operations without any known security incidents, sensitivity of\nthe data stored, and monitoring results in making its risk acceptance decision.\n\nWhile we agree this is important information, we also believe GPO could benefit by\nobtaining additional information to make a risk acceptance decision for its major\nlegacy and minor applications. For the eight major legacy applications, our audit\nrevealed: (1) applications were not categorized as low, moderate, or high risk based\non the confidentiality, integrity, and availability of the information it stores,\nprocesses, or transmits; (2) risk assessments were not conducted assessing the\nsensitivity of data, threats, vulnerabilities, and effectiveness of current and/or\nproposed safeguards or documenting the risk assessments; and (3) risk acceptance\nprocedures or guidelines were not fully developed. We believe this condition to be\ntrue for all 16 legacy major applications. Without categorizing, conducting risk\nassessments, and providing a uniform approach to risk acceptance, GPO cannot be\nassured that management controls in place apply the appropriate level of controls\nfor preventing unauthorized access, use, disclosure, disruption, modification, or\ndestruction. Factors contributing to the deficiencies noted relate to availability of\nresources\xe2\x80\x94specifically, employees and funding. GPO reported that over the past 13\nyears staff supporting mainframe applications declined by 68 percent and that\nvacancies were not filled. According to IT&S, funding is directed toward the Federal\nDigital System, Passport Production System, Secure Credential Personalization\nSystem, GPO\xe2\x80\x99s Business Information System, Public Key Infrastructure, and the\nGeneral Support System.\n\nFor minor applications, IT&S reported streamlined security reviews are conducted\nand the Authority to Operate process relies on continuous monitoring and change\nmanagement approved by the Configuration Control Board. However, GPO could\nnot demonstrate minor applications and subsystems with varying impact levels had\nadequate protection established either by major applications or general support\nsystems. This was due to GPO\xe2\x80\x99s use of a streamlined security process.\n\nIf an incident were to occur, GPO could experience anywhere from minor delays to\nmajor service disruptions. For example, GPO's print procurement process relies on\nmajor legacy applications to generate random and rotating potential vendor lists for\nsolicitations based upon order specifications, allow print procurement customers to\nplace orders directly with a GPO contractor, format payment files to produce checks,\nprovide order entry capability, order status, contractor performance history, quality\nrecords, exception reports, and order-tracking.\n\nFor GPO's print production operations, a senior manager told us if the Production on\nEstimating and Planning System, a major legacy application, were to go offline, the\n\n\n                                          3\n\x0cimpact would greatly affect GPO\xe2\x80\x99s ability to provide Congressional and executive\nagency publications.\n\nRecommendations\n\nTo strengthen GPO\xe2\x80\x99s risk acceptance process, we recommend that the Chief\nInformation Officer:\n\n1. Categorize applications as low, moderate, or high risk based on the\n   confidentiality, integrity, and availability of the information it stores, process, or\n   transmits.\n\n2. Conduct risk assessments that include, at a minimum, an assessment of the\n   sensitivity of data, threats, vulnerabilities, and effectiveness of current/proposed\n   safeguards, and document the risk assessments.\n\n3. Develop procedures or guidance that adequately provide detailed instructions\n   for risk acceptance.\n\n4. Determine if each major application or general support system provides\n   adequate protection to subordinate minor applications.\n\n5. Inform business units about the exposure and potential impact on the business\n   unit's operations if the security solution in regard to the identified risk(s) is not\n   feasible or cannot be implemented.\n\nManagement\xe2\x80\x99s Response\n\nThe Chief Information Officer indicated these recommendations are reasonable\nactivities that generally require long-term remediation actions and require a significant\ninvestment by GPO. IT&S is working to implement OIG's recommendations.\n\nManagement either concurred or partially concurred with the recommendations.\nPartial concurrence was based on budgetary limitations. We consider\nmanagement\xe2\x80\x99s planned actions responsive to the recommendations. The\nrecommendations are resolved and will remain open until planned action is\ncomplete.\n\n\n\n\n                                             4\n\x0cBackground\n\nIn a memorandum dated September 13, 2012, IT&S reported that management\nwould accept the risk for eight of its 16 major legacy applications without\nconducting a C&A or having any security related documentation. For the remaining\neight major applications, GPO would allocate adequate resources for bringing those\neight applications into full compliance with GPO Directive 825.33B, \xe2\x80\x9cInformation\nTechnology Security Program Statement of Policy,\xe2\x80\x9d May 24, 2011. The eight major\nlegacy applications are listed below.\n\n\xe2\x80\xa2     Automated Bid Lists System (ABLS)\n\xe2\x80\xa2     GPO Printing Request Order Control (GPOPROC)\n\xe2\x80\xa2     Microcomp\n\xe2\x80\xa2     Paybase\n\xe2\x80\xa2     Procurement Information Control System (PICS)\n\xe2\x80\xa2     PICSWEB\n\xe2\x80\xa2     Production Estimating and Planning System (PEPS)\n\xe2\x80\xa2     Retail Order Processing System (ROPS)\nIn conjunction with accepting the risk for the major legacy applications, IT&S asked\nOIG on September 18, 2012, for closure of the following open recommendations: 1\n\n\xe2\x80\xa2     OIG Recommendation 10-03-04 \xe2\x80\x93 \xe2\x80\x9cPerform periodic security testing of all major\n      applications.\xe2\x80\x9d\n\xe2\x80\xa2     OIG Recommendation 10-03-16 \xe2\x80\x93 \xe2\x80\x9cProduce security plans for all major\n      applications.\xe2\x80\x9d\n\xe2\x80\xa2     OIG Recommendation 10-03-17 \xe2\x80\x93 \xe2\x80\x9cProduce risk assessments for all major\n      applications.\xe2\x80\x9d\n\xe2\x80\xa2     OIG Recommendation 10-03-18 \xe2\x80\x93 \xe2\x80\x9cDefine required security controls and\n      document in security plans for all major applications.\xe2\x80\x9d\n\xe2\x80\xa2     OIG Recommendation 10-03-19 \xe2\x80\x93 \xe2\x80\x9cCertify and accredit all major applications.\xe2\x80\x9d\n\nIT&S noted, however, eight additional major applications for which deficiencies and\nrecommendations still apply will continue to operate within the boundaries of GPO\xe2\x80\x99s\ncurrent plan.\n\nIT&S also reported streamlined security reviews are conducted for minor\napplications and the Authority to Operate process relies on continuous monitoring\nand change management approved by the Configuration Control Board.\n\n\n\n\n1\n    OIG Report Number 10-03, GPO's Compliance with FISMA, dated January 12, 2010.\n\n\n                                                 5\n\x0cFederal Security Practices\n\nThe E-Government Act of 2002 (Public Law 107-347)\xe2\x80\x94passed and signed into law\nin December 2002\xe2\x80\x94recognized the importance of information security to the\neconomic and national security interests of the United States. Title III of that Act,\nentitled the Federal Information Security Management Act (FISMA), tasked NIST\nwith the responsibility for establishing standards and guidelines. Standards and\nguidelines included standards for Federal agencies when categorizing information\nas well as information systems collected or maintained by or on behalf of each\nagency based on the objectives of providing appropriate levels of information\nsecurity according to a range of risk levels.\n\nFederal security practices require that agencies assess the risk and magnitude of\nharm that could result from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information and information systems. Both FIPS 199\nand related NIST guidance provide a common framework for categorizing systems\naccording to risk. The framework establishes three levels of potential impact on\norganizational operation, assets, or individuals should a breach of security occur\xe2\x80\x94\nhigh (severe or catastrophic), moderate (serious), and low (limited)\xe2\x80\x94and is used to\ndetermine the impact related to confidentiality, integrity, and availability.\n\nOnce determined, security categories are used with vulnerability and threat\ninformation in determining the minimum security requirements for the system and\nin assessing the risk to an organization. Risk assessments help ensure that the\ngreatest risks are identified and addressed, increase the understanding of risk, and\nprovide support for needed controls. OMB Circular No. A-130, Appendix III,\n\xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d prescribes that risk be\nassessed when significant changes are made to major systems and applications in an\nagency\xe2\x80\x99s inventory, or at least every 3 years.\n\nConsistent with NIST guidance, GPO Directive 825.33B, \xe2\x80\x9cInformation Technology\nSecurity Program Statement of Policy,\xe2\x80\x9d May 24, 2011, establishes policies, assigns\norganizational and management roles and responsibilities, and establishes\nminimum requirements for development, implementation, maintenance, and\noversight of an IT security program.\n\nAlthough not subject to the E-Government Act of 2002, NIST Special Publications,\nFIPS Publications, or OMB Circulars, GPO has generally adopted those standards and\noperating procedures because they are not only consistent with its strategic goals\nbut are also best business practices.\n\n\n\n\n                                          6\n\x0cPrior OIG Audit Report\n\nIn June 2012, we reported 2 that strengthening security accreditation, a form of\nquality control, would challenge managers and technical staff at all levels to\nimplement the most effective security controls possible for an information system.\nBased on the review, we noted that before authorizing a hosted Web site to operate\nnot all elements of the C&A process were completed and recommended that GPO\nconduct C&A activities reflecting a risk management framework approach\nestablished in NIST Special Publication 8OO-37. In its management response, GPO\nexpressed concern about the recommendation, stating that complying would have\nserious financial and resource implications on the Agency. As a result, management\nstated it would conduct a cost-benefit analysis to determine if the recommendation\ncould be implemented within the fiscal and resource constraints of the Agency.\n\nResults and Recommendations\n\nGPO reported that it considered the following factors when determining the level of\nrisk acceptance for the eight major legacy applications.\n\n\xe2\x80\xa2   Of the eight applications, seven are mainframe applications and by definition not\n    Internet-facing applications, thereby reducing risk. A contracted service\n    provider hosts GPO\xe2\x80\x99s mainframe applications. The service provider has both a\n    primary site and backup site for the mainframe. IT&S stated that such a\n    configuration significantly reduces contingency risks. In addition, mainframe\n    applications have two separate levels of user account security, a mainframe user\n    account, and application user account. IT&S believes the two layers of security\n    reduce risk.\n\xe2\x80\xa2   GPO plans to retire and replace the eight major applications in the near term.\n\xe2\x80\xa2   Many of the eight major applications recommended for potential risk acceptance\n    have been in operation at GPO for more than 20 years without any known IT\n    security incident or fraudulent usage incident.\n\xe2\x80\xa2   Data stored and processed by applications are non-sensitive data.\n\xe2\x80\xa2   The Agency uses an on-going monitoring program that encompasses annual-\n    user access reviews, reviews of random transactions by the specific business\n    areas on a periodic basis, and validating a sample of transactions for\n    completeness and lack of any issues or fraud.\nWhile GPO considered some important information, it may benefit GPO to assess the\nrisk and magnitude of harm that could result from unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information\nsystems. Our audit revealed: (1) applications were not categorized as low,\nmoderate, or high risk based on the confidentiality, integrity, and availability of the\ninformation it stores, processes, or transmits; (2) risk assessments were not fully\n\n2\n  OIG Report Number 12-13, Audit of Computer Security Handling a Denial of Service Incident, dated\nJune 28, 2012.\n\n                                                 7\n\x0ccompleted; and (3) risk acceptance procedures or guidelines have not been\ndeveloped.\n\nWithout categorizing, conducting risk assessments, providing a uniform approach to\nrisk acceptance, and ensuring that minor applications are protected, management\nwas not assured that controls applied the appropriate levels to help prevent\nunauthorized access, use, disclosure, disruption, modification, or destruction.\nManagement attributed deficiencies, in part, to a shortage of employees and lack of\nfunding. For example, we were told between the early 2000\xe2\x80\x99s and 2013, IT staffing\nthat supported mainframe applications went from approximately 50 to 16,a decline\nof 34 or 68 percent\xe2\x80\x94without replacement fills for vacancies. The CIO also stated\nthat funding to address the deficiencies in resources was not available.\n\nCategorization of Risk. GPO did not categorize applications as low impact, moderate\nimpact, or high impact based on the confidentiality, integrity, and availability of the\ninformation it stores, process, or transmits. Best business practices support the use\nof categorization.\n\nFIPS 199 establishes security categories for Federal agencies to use in categorizing\ninformation and information systems based on the potential impact associated with\nthe loss of confidentiality, integrity, or availability on an agency mission or\nindividual. The publication states that systems should be categorized as low,\nmoderate, or high based on the confidentiality, integrity, and availability of the\ninformation it stores, processes, or transmits.\n\nNIST FIPS 200, \xe2\x80\x9cMinimum Security Requirements for Federal Information and\nInformation Systems,\xe2\x80\x9d March 2006, is the second of the security standards\ndeveloped in response to FISMA and provides a minimum \xe2\x80\x9cfoundational\xe2\x80\x9d level of\nsecurity controls to select for protecting the confidentiality, integrity, and\navailability of information and systems. NIST Special Publications 800-53 Revised,\n\xe2\x80\x9cRecommended Security Controls for Federal Information Systems and\nOrganizations,\xe2\x80\x9d August 2009, provides 17 control families for protecting Federal\ninformation and information systems. The standard states that a selected set of\nsecurity controls must include one of three appropriately tailored security control\nbaselines from NIST Special Publication 800-53, which are associated with the\ndesignated impact levels of the organizational information systems as determined\nduring the security categorization process.\n\nRisk Assessment. A risk assessment is a process for analyzing and interpreting risk.\nA risk assessment comprises three basic activities: (1) determining the\nassessment's scope and methodology; (2) collecting and analyzing data; and (3)\ninterpreting the risk analysis results. GPO did not conduct risk assessments for the\n8 major applications and 4 minor applications we reviewed.\n\nThe first steps in assessing risk include identifying the system under consideration,\nthe part of the system that will be analyzed, and the analytical method including its\n                                           8\n\x0clevel of detail and formality. The assessment may be focused on areas where either\nthe degree of risk is unknown or is known to be high. Risk has many varying\ncomponents: assets, threats, vulnerabilities, safeguards, consequences, and\nlikelihood. This examination normally includes gathering data about the threatened\narea and synthesizing and analyzing the information to make it useful.\nOrganizations use risk assessment in support of two related functions: acceptance\nof risk and selection of cost-effective controls. Instances may, however, exist where\na risk is so significant even after steps have been taken to mitigate, a separate risk\nacceptance approval by management could be appropriate.\n\nGPO Directive 825.33B establishes policies, assigns organizational and management\nroles and responsibilities, and establishes minimum requirements for the\ndevelopment, implementation, maintenance, and oversight of an IT security\nprogram. The policy requires that management conduct risk assessments on all\nsystems and computer installations at least once every 3 years or when a significant\nchange occurs to the configuration of the system. IT&S Information Security must\nalso review risk assessments annually to ensure the risks reflect the current\nconfiguration of the system or installation. Risk assessments must be in writing and\ninclude, at a minimum, sensitivity of data, threats, vulnerabilities, and effectiveness\nof current/proposed safeguards. Sensitivity assessments must be conducted during\nthe initiation phase of the system\xe2\x80\x99s development life cycle.\n\nAppendix III of OMB Circular A-130 requires that Federal agencies plan for security,\nensure that appropriate officials are assigned security responsibilities, periodically\nreview the security controls in their information systems, and authorize system\nprocessing prior to operations and periodically thereafter. OMB also requires\nreauthorization of Federal systems\xe2\x80\x94or reaccreditation\xe2\x80\x94at least once every 3 years\nthrough a C&A process. Certification of a system requires assessing risk, planning\nsecurity, testing of minimum security controls, creating plans of actions for\nidentified weaknesses, and mitigating risks. An authorizing officer appointed by the\nagency, typically a senior executive, reviews the certification results and reaccredits\nthe system when that system\xe2\x80\x99s operation poses minimal security risk.\n\nRisk Acceptance Procedures or Guidelines. Management did not develop\nprocedures or guidelines for risk acceptance. At some point, management must\ndecide\xe2\x80\x94based on the kind of severity of remaining risks\xe2\x80\x94operation of the\ncomputer system is acceptable. Managers do not always understand computer-\nbased risk because the type of risk may be different from risks previously associated\nwith the organization or function, the risk may be technical and difficult for a lay\nperson to understand or the proliferation and decentralization of computing power\ncan make it difficult to identify key assets that may be at risk.\n\nRisk acceptance, like the selection of safeguards, should take into account various\nfactors aside from those addressed in the risk assessment. Risk acceptance should\nalso take into account the limitations of the risk assessment. Risk acceptance is\n\n\n                                           9\n\x0c      linked to selection of safeguards because, in some cases, risk may have to be\n      accepted because safeguards are too expensive.\n\n      Within the Federal Government, the acceptance of risk is closely linked with an\n      authorization to use a computer system, often called accreditation. Accreditation is\n      management\xe2\x80\x99s acceptance of risk resulting in formal approval for the system to\n      become operational or remain so. One of the two primary functions of risk\n      management is the interpretation of risk for the purpose of risk acceptance.\n\n      Table 1 depicts the details of the significant information available to GPO for each of\n      eight major applications.\n\nTable 1. Information Considered for the Risk Acceptance for the Eight Major Legacy Applications\n(as of January 2013)\n                                          Categorized                                                  Assessment\n                                           based on                                                         of\n                                          FIPS 199 as   Assessment                                    Effectiveness\n                                             Low,          of the                                     of Current or\n   Major                       Risk*      Medium, or    Sensitivity   Assessment    Assessment of       Proposed\n   Legacy         C&A       Assessment     High Risk      of Data      of Threats   Vulnerabilities    Safeguards\nApplication    Completed?   Completed?    Completed?    Completed?    Completed?     Completed?        Completed?\n Reviewed       (Yes/No)     (Yes/No)      (Yes/No)      (Yes/No)      (Yes/No)       (Yes/No)          (Yes/No)\nAutomated\nBid List          No          Partial         No             No           No              No               No\nSystem\nGPO Printing\nRequest\n                  No          Partial         No             No           No              No               No\nOrder\nControl\nMicrocomp         No          Partial         No             No           No              No               No\nPaybase           No          Partial         No             No           No              No               No\nProcurement\nInformation\n                  No          Partial         No             No           No              No               No\nControl\nSystem\nProcurement\nInformation\n                  No          Partial         No             No           No              No               No\nControl\nSystem Web\nProduction\non\nEstimating        No          Partial         No             No           No              No               No\nand Planning\nSystem\nRetail\nOrder\n                  No          Partial         No             No           No              No               No\nProcessing\nSystem\n* Partial was assessed due to vulnerability scans conducted by GPO.\n\n      The potential business impact from the eight major legacy applications are\n      described below.\n\n\n\n\n                                                        10\n\x0cAutomated Bid List System. ABLS generates random and rotating potential vendor\nlists for solicitations based upon order specifications. Vendors are invited to submit\nbids and quotes for the solicitations. GPO has three primary methods of soliciting\nbids and quotes for procurements. The first method is through solicitations that are\nfacsimiled, emailed, or physically mailed directly to qualified vendors on a rotational\nbasis using ABLS. Even if ABLS were offline, GPO has two other methods to solicit\nbids and quotes for procurement. The second method is to solicit using public\nwebsites of GPO (www.gpo.gov/bidopps/index.html) and Federal Business\nOpportunities website (www.fedbizopps.gov). The third method is directly from the\nGPO Procurement Offices. Vendors or vendor\xe2\x80\x99s representatives may visit GPO\xe2\x80\x99s\nCentral Office Bid Section in Washington, DC or any RO to view available bid\nopportunities. The business impact may be minimal if a secondary system is\ncapable of providing similar functions.\n\nGPO Printing Request Order Control. GPOPROC allows print procurement\ncustomers to place orders directly with a GPO contractor. The GPOPROC: (1)\ngenerates the purchase order, transmittal letter for the Federal agency, and letter to\nthe vendor is generated, (2) assists with writing the printing specifications, print job\nrequirements and contract language, and (3) searches for previous and similar\norders. If GPOPROC were unavailable, the entire purchase order may be completed\nwith ballpoint pen. This may delay procurement activities and make it difficult to\ngather and analyze program-wide data.\n\nMicrocomp. Microcomp is used to compose the majority of Congressional\ndocuments produced by GPO as well as key Executive agency publications. These\nproducts are printed and disseminated electronically by GPO. An estimated 700\nrelated applications and utilities have been developed over the years to sustain and\nenhance Microcomp in order to support the evolving needs of GPO\xe2\x80\x99s Congressional\ncustomers, in-house print and electronic access. If Microcomp were offline, it may\ndelay the production of Congressional documents as well as key Executive agency\npublications.\n\nPaybase. Paybase formats payment files to produce laser checks that incorporate\nsecure Magnetic Ink Character Recognition (MICR), printing on blank check stock;\nprocesses electronic automated clearinghouse payments; remittance generation and\ndelivery for both paper checks and electronic payments; and digital archive and\nretrieval. MICR refers to the numbers printed on the bottom of the checks. If\nPaybase were offline, GPO may be delayed in processing payments in similar\nformats.\n\nProcurement Information Control System. PICS is GPO\xe2\x80\x99s main information and\norder-tracking system used in large part to support GPO\xe2\x80\x99s print procurement\nprograms. It provides order entry capability, order status, contractor performance\nhistory, quality records, and exception reports. It also integrates with GPO Proc to\nexchange specification details. PICS integrates with PEPS and GBIS. If PICS were\noffline, information and order-tracking may be delayed.\n                                          11\n\x0cPICSWEB. PICSWEB is a web-based, user application that enables Government\nagencies to access the GPO PICS. PICSWEB provides customer access to central and\nregional office records and current job status, quality assurance information\nincluding quality level, press sheet inspection schedules and results, contractor\nname and address information, an estimating tool, electronic submission of 2511s\n(direct deal print orders only), and electronic submission of Non-Compliance Report\n(907). If PICSWEB were offline, GPO customers may not be able to track their print\nprocurement orders, review quality assurance information, obtain contractor\ninformation, and access estimating tools.\n\nProduction on Estimating and Planning System. The PEPS system is used primarily\nto facilitate Congressional print jobs as well as print jobs for other federal agencies.\nGPO\xe2\x80\x99s plant operations relies on the PEPS to provide production estimating,\nscheduling, and tracking functions as well as a centralized point for data collection\nand record keeping for in-house production. There are between 100 -150 users of\nthis application. Prepress, Bindery, Press would be examples of sections within GPO\nrelying on the data in PEPS for the purpose of tracking job status as they move\nbetween divisions. If PEPS were offline, it could reduce GPO\xe2\x80\x99s ability to complete\nprinting jobs for Congress and other federal agencies on schedule.\n\nRetail Order Processing System. ROPS is part of an overall sales order system and\nused to expedite and control the processing of retail orders\xe2\x80\x94whether keyed\ndirectly into the system or they are included through the batch process from an\noutside source. If the application were offline, GPO may have to manually produce\npicking tickets, picking lists, and customer order information notices for the\nacceptance of orders.\n\nMinor Applications\n\nIT&S reported that streamlined security reviews are conducted for minor\napplications and the Authority to Operate process relies on continuous monitoring\nand change management approved by the Configuration Control Board.\n\nAgencies are expected to exercise judgment in determining which of their\napplications are minor applications and ensure that the security requirements of\nthose applications are addressed as part of the system security plan for the\napplicable general support systems or, in some cases, the applicable major\napplication. GPO could not demonstrate minor applications and subsystems had\nadequate protection established by major applications or general support systems.\n\nIt is common that a minor application may have a majority of its security controls\nprovided by the general support system or major application on which it resides. In\nsuch a case, the information system owner of the general support system or major\napplication is the information system owner for the minor application and\nresponsible for developing the system security plan. The additional security\ncontrols specific to the minor application should be documented in the system\n                                          12\n\x0c    security plan as an appendix or paragraph. The minor application owner may\n    develop the additional controls.\n\n    The minor application can have a FIPS 199 security category of low or moderate.\n    However, if the minor application resides on a system that does not have adequate\n    boundary protection, the minor application must implement the minimum baseline\n    controls required by the host or interconnected system. Our review of four\n    randomly selected minor applications is detailed in Table 2.\n\nTable 2. Information Available for Four Sampled Minor Applications (as of January 2013)\n                                                                                              Boundaries\n                                                                 Categorized                  Established\n                                                                   as Low,     Boundaries         by a\n                                                     Risk        Medium, or    Established      General\n                                     C&A          Assessment      High Risk     by a Major      Support\n                                  Completed?      Completed?     Completed?    Application?     System?\n Minor Application Reviewed        (Yes/No)        (Yes/No)       (Yes/No)       (Yes/No)      (Yes/No)\n     Permanent Universal\n                                         No             No            No           No             No\n  Resource Locators (PURLs)\n    Profile, Administration,\n   Management And Library                No             No            No           No             No\n             Analysis\n     Hazard (Substances)\n                                         No             No            No           No             No\n   Communications System\n             GPO.gov                     No           Partial*        No           No             No\n* Partial was assessed due to vulnerability scans conducted by GPO.\n\n\n    Recommendations\n\n    To improve the effectiveness of GPO\xe2\x80\x99s risk acceptance process, we recommend that\n    the Chief Information Officer:\n\n    1. Categorize applications as low, moderate, or high risk based on the\n       confidentiality, integrity, and availability of the information it stores, process, or\n       transmits.\n\n    2. Conduct risk assessments that include, at a minimum, an assessment of the\n       sensitivity of data, threats, vulnerabilities, and effectiveness of current/proposed\n       safeguards, and document the risk assessments.\n\n    3. Develop procedures or guidance that adequately provides detailed instructions\n       for risk acceptance.\n\n    4. Determine if each major application or general support system provides\n       adequate protection to subordinate minor applications.\n\n\n\n\n                                                     13\n\x0c5. Inform business units about the exposure and potential impact on the business\n   unit's operations if the security solution in regard to the identified risk(s) is not\n   feasible or cannot be implemented.\n\nManagement\xe2\x80\x99s Response\n\nRecommendation Number 1: The Chief Information Officer partially concurred. The\nChief Information Officer reported this is a reasonable activity that will require\ncommitment of additional resources to achieve. IT&S believes this can be\naccomplished for the major applications at GPO by December 31, 2013, with existing\nIT &S resources. However, the 231 minor applications at GPO cannot be completed\nwithin FY13 or by the end of FY14 without additional resources being provided to\nIT &S. It is estimated that that this would be completed by the end of FY14.\n\nRecommendation Number 2: The Chief Information Officer partially concurred. The\nChief Information Officer reported this is a reasonable activity that will require\nresource commitments to achieve. Conducting risk assessments is a component\nactivity contained within Recommendation Number 5. It would be the most\nefficient overall to GPO, in the context of all the recommendations in this report, to\nconduct the risk assessments as part of the overall Certification and Accreditation\nactivities in Recommendation Number 5.\n\nRecommendation Number 3: The Chief Information Officer concurred. The Chief\nInformation Officer reported this is a reasonable activity and IT &S estimates that it\ncan be completed with existing IT&S resources by December 31, 2013.\n\nRecommendation Number 4: The Chief Information Officer partially concurred. The\nChief Information Officer reported this is a reasonable activity that will require\nadditional resource commitments for IT &S. There are 231 minor applications listed\non the GPO IT &S Enterprise Architecture site. IT&S estimates there is no capacity\nwith existing IT &S resources to make the recommended determination. It is\nestimated that it would take 18-24 months to complete this based on the\ndependency on major application risk assessments and control analysis.\n\nRecommendation Number 5: The Chief Information Officer partially concurred.\nIT &S believes that in order to meet this recommendation, it would be most efficient\nto conduct the Certification and Accreditation process for all legacy major\napplications. IT &S estimates that this activity would require contractor\n(professional service) resources to achieve and that 18-24 months of time would be\nneeded to complete this recommendation following the NIST requirements as the\nOIG recommends.\n\n\n\n\n                                           14\n\x0cEvaluation of Managements Response\n\nThe Chief Information Officer indicated these recommendations are reasonable\nactivities that generally require long-term remediation actions and require a significant\ninvestment by GPO. IT&S is working to implement OIG's recommendations.\n\nWe consider management\xe2\x80\x99s planned actions responsive to the recommendations.\nThe recommendations are resolved and will remain open until planned action is\ncomplete.\n\n\n\n\n                                            15\n\x0cAppendix A - Objectives, Scope, and Methodology\n\nWe performed the audit from September through December 2012 at the GPO\nCentral Office in Washington, D.C. We conducted the audit in accordance with\ngenerally accepted government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence that will\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nObjectives\n\nWe conducted this audit to answer the following question: \xe2\x80\x9cWhat process did GPO\nfollow when accepting risks associated with major legacy and minor applications?\xe2\x80\x9d\n\nScope and Methodology\n\nTo meet our objectives:\n\n\xe2\x80\xa2   We reviewed policies and procedures in place from September to December\n    2012.\n\n\xe2\x80\xa2   We requested risk assessments and risk acceptance documentation for the eight\n    major legacy applications reported by IT&S in September 2012.\n\n\xe2\x80\xa2   We randomly selected four minor applications to confirm GPO\xe2\x80\x99s statement that\n    C&A\xe2\x80\x99s and risk assessments were not conducted.\n\n\xe2\x80\xa2   We conducted interviews with GPO staff to gain an understanding of GPO\xe2\x80\x99s\n    policies, procedures, systems, and processes related to risk assessment and\n    acceptance as it pertains to information technology.\n\n\xe2\x80\xa2   We also interviewed key management officials responsible for establishing and\n    monitoring the risk acceptance process; and reviewing and approving the\n    acceptance of risk.\n\nWe used the results of our work to support our conclusion.\n\nManagement Controls Reviewed\n\nWe determined that the following internal controls were relevant to our audit\nobjective:\n\n\n\n\n                                         16\n\x0cAppendix A - Objectives, Scope, and Methodology\n\nProgram Operations \xe2\x80\x93 Policies and procedures the GPO management implemented\nto reasonably ensure that the risk acceptance process met GPO\xe2\x80\x99s objectives.\n\nCompliance with Laws and Regulations \xe2\x80\x93 Policies and procedures that management\nhas implemented to reasonably ensure that resource use is consistent with laws and\nregulations.\n\nThe details of our examination of management controls, the results of our\nexamination, and noted management control deficiencies are contained in the\nreport narrative. Implementing the recommendations in this report should improve\nthose management control deficiencies.\n\n\n\n\n                                        17\n\x0cAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Response\n\n\n\n\n                             18\n\x0cAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Response\n\n\n\n\n                             19\n\x0cAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Response\n\n\n\n\n                             20\n\x0cAppendix C - Status of Recommendations\n\n\nRecommendation        Resolved   Unresolved       Open/ECD*         Closed\n      1                  x                            Minor\n                                               Applications: End\n                                                   of FY 2014\n                                              Major Applications:\n                                                  12/31/2013\n         2                x                    8 months from the\n                                                 date additional\n                                                   contractor\n                                              resources are made\n                                                    available\n         3                x                       12/31/2013\n         4                x                     24 months from\n                                              the date additional\n                                                   contractor\n                                              resources are made\n                                                    available\n         5                x                     24 months from\n                                              the date additional\n                                                   contractor\n                                              resources are made\n                                                    available\n\n*Estimated Completion Date.\n\n\n\n\n                                    21\n\x0cAppendix D \xe2\x80\x93 Final Report Distribution\n\nActing Public Printer\nAssistant Public Printer, Operations\nGeneral Counsel\n\n\n\n\n                                       22\n\x0cMajor Contributors to the Report\n\nDaniel Rose, Lead Information Technology Specialist\n\n\n\n\n                                       23\n\x0c"